1.1 Background: Cybersecurity and the Backlash against Economic Globalisation
The deep integration of internet technologies in our everyday life and business has dramatically impacted the first decades of the twenty-first century. Artificial intelligence, autonomous vehicles, cryptocurrencies, and the Internet of Things have become ubiquitous and continue to expand. The COVID-19 pandemic resulted in individuals and businesses spending more time and money online.Footnote 1 These developments increased our dependence on the Internet, and access to an open, stable, and secure cyberspace plays a crucial role not only for businesses but also for the wellbeing and functioning of people’s lives.
Simultaneously, the number and sophistication of cybercrimes keeps increasing, indicating that the current cyber regulation has failed to catch up with rapidly emerging cyberthreats. It is reported that in 2021, 80 per cent of businesses experienced ransomware attacks.Footnote 2 Reported cases of malicious uses of cyberspace as a way of advancing the interest of states have increased, which includes Russia declaring itself the first state ever to launch a COVID-19 vaccine for public use, following official reports from the United Kingdom that Russian hackers had attempted to steal data relating to its COVID-19 vaccine research. The European Union and the United States attributed a distributed denial of service (DDoS) attack on Ukrainian internet infrastructure to Russian military cyber operators. This attack was reported to be a part of Russia’s hybrid warfare strategy for the invasion of Ukraine in February 2022.Footnote 3
This century has also witnessed the intensification of interstate competition for dominance in terms of both technology and normative development in cyberspace. One notable example is the diffusion of 5G technologies, which could form the backbone of national competitiveness and innovation in the future. States compete over who develops technologies, sets standards (relevant for establishing levels of performance and compatibility), and holds the relevant intellectual property.Footnote 4 As discussed further in Chapters 2 and 4, the major cyberpowers – the United States and its allies, on the one hand, and China and Russia, on the other – have presented and supported contrasting agendas on cyber norms.Footnote 5
China has recently risen as a key ‘non-Western’ economic and political power. Rapidly growing Chinese investments in strategic technology firms in other countries have drawn renewed public attention to the security risks posed by foreign investment and trade. This has contributed to the acceleration of the current backlash against economic globalisation. Since 2016, major Western economies have begun to introduce, or to tighten, foreign direct investment (FDI) screening mechanisms,Footnote 6 with cybersecurity serving as an important justification for this policy shift.Footnote 7 As major economies reassert control over borders, they may be tempted to rely on the concept of cybersecurity to pursue protectionist goals, thus fuelling the backlash against economic globalisation. These actions may also conflict with international law frameworks on trade and investment founded on the concept of economic openness.
These intensifying cyberthreats, increasing geopolitical tensions, and a backlash against economic globalisation call for a reassessment of cybersecurity governance.
1.2 Aims and Scope
This book examines cybersecurity challenges, governance responses to them, and their limitations, engaging in an interdisciplinary approach combining legal and international relations disciplines. It builds on the fundamental premise that cybersecurity challenges require a widely agreed-upon set of international norms. Domestic laws and regulations play a primary role in governing cyberspace. Although inter-governmental agreements (both binding and non-binding) between like-minded statesFootnote 8 and private sector voluntary standardsFootnote 9 tackle an increasing number of cybergovernance and cybersecurity issues, the world still lacks widely accepted norms on cybersecurity. States have attempted to agree on universal norms for cyber and cybersecurity governance at the United Nations (as discussed in detail in Chapters 2 and 4) and other forumsFootnote 10 but so far have failed to produce a universally agreed set of norms. Global cybergovernance now resembles a patchwork of diverse laws and policies. This book offers an interdisciplinary approach involving both law and international relations that explores ways of filling the gap.
The book has three main aims. First, it examines the current political and legal context of cybersecurity governance, highlighting the divide between two contrasting models of cybergovernance. The first approach, taken by the Western countries, puts emphasis on the freedom of cyberspace, the free flow of information, the protection of civil and political rights, and privacy.Footnote 11 This book calls this approach the ‘market-oriented’ model. The other approach, exemplified by most member states of the Shanghai Cooperation Organization (SCO),Footnote 12 emphasises states’ sovereignty over cyberspace (cyberspace sovereignty), treating information itself as a potential threat.Footnote 13 This book calls this approach the ‘state-oriented’ model. Certainly, there is no ‘pure form’ of market-oriented model or state-oriented model, as attested to, for example, by the emergence of the concept of ‘digital sovereignty’ in the European Union as a tool to enable protection and government intervention.Footnote 14 Nevertheless, the underlying reasons for governmental intervention, namely, protection of data and citizens’ rights, on the one hand, and state control and surveillance, on the other, clearly differ.Footnote 15
The divide between these two models blocks international co-operation on many cybersecurity matters.Footnote 16 This book explores this challenge by examining: (a) the liberal international order, the free and open (market-oriented) governance in cyberspace, and the challenges such governance has faced (Chapter 2); (b) China’s cybersecurity policy and the concept of ‘cyber sovereignty’ as a manifestation of the state-oriented model (Chapter 3); and (c) the challenges the cybercrime convention negotiations at the United Nations have faced (Chapter 4).
Second, this book evaluates the success, potential, and limitations of current international and domestic legal frameworks to address emerging cybersecurity threats, focusing on the following specific issues: (a) states’ recourse to self-defence and countermeasures under existing international law and through the application of domestic criminal law (Chapter 5); (b) domestic, international, and EU law approaches in the area of data protection (Chapter 6); (c) approaches to balancing liberalisation of digital trade with cybersecurity concerns adopted in multilateral and regional trade agreements (Chapter 7); and (d) the tension between domestic cybersecurity measures and obligations under international investment agreements (IIAs) (Chapter 8).
Third, this book examines the responsibilities and roles of states and private actors in shaping cybersecurity governance. The principle of ‘multistakeholderism’, which engages all stakeholders, including states, international institutions, technology companies, academics, civil society, and technical experts in discussions, has been accepted as an internet governance principle since the Working Group on Internet Governance (WGIG) adopted the following working definition of internet governance:
[T]he development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.Footnote 17
While debates continue on whether multistakeholderism should apply to different areas of internet governance,Footnote 18 successful cybersecurity governance as a component of internet governance (as discussed below) requires the involvement of both the public and private sectors, the latter being defined broadly here to include business industries (in particular technology companies), technical experts, academics, and civil society groups. Neither public nor private sectors alone can sufficiently address cybersecurity threats.Footnote 19 The public sector plays an essential role, as cybersecurity requires, for example, setting mandatory laws and regulations and co-operation with other governments in prosecuting cybercriminals. The fact that the primary aim of technology companies, as with any other companies, is to maximise profits, also sets certain limits on the role of the private sector.Footnote 20
On the other hand, cyberspace technological innovations typically come from the private sector, and purely domestic and public-centred responses will fail to address emerging cyberthreats in an effective and timely manner.Footnote 21 Corporations operate critical infrastructure (e.g. servers, security protocols, and network access points) and possess relevant expertise to evaluate threat levels and propose tools to defend against cyberthreatsFootnote 22 and are better suited to constantly update cybersecurity standards and best practices. This underscores the need for incorporating these standards and practices into the norms of cybersecurity governance. Based on these considerations, Chapter 9 provides a comparative analysis of the existing domestic public–private partnership (PPP) mechanisms on cybersecurity, including the National Institute of Standards and Technology (NIST) cybersecurity framework,Footnote 23 and addresses the challenge of optimising private and public co-operation to tackle cybersecurity threats globally. Chapter 10 further discusses the role of the private sector and examines its limits in cybersecurity governance.
With the aims described above, this book focuses on cybersecurity governance as an element of ‘internet governance’.Footnote 24 In other words, it examines cybersecurity governance in the Internet – the most important information technology infrastructure in cyberspace.Footnote 25 Rather than trying to comprehensively cover all areas of cybersecurity regulation, this book seeks to draw lessons from various domestic, international, public, and private approaches to create a more agile regulatory framework for cybersecurity.
The book adopts a narrow definition of cybersecurity, from the Oxford English Dictionary – ‘[t]he state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this’ – an interpretation that excludes unintentional computer and human errors. Therefore, in the understanding of this book, cybersecurity governance involves the development of a set of principles, norms, rules, and processes concerning the protection of the Internet against unauthorised use or attempted such use.
1.3 Overview of the Chapters
The book begins with the analysis of international relations frameworks for cybersecurity and discusses market-oriented and state-oriented models of internet regulation. Chapter 2, authored by Kiichi Fujiwara and Paul Nadeau, offers an analysis of the challenges for governments and the private sector in cybersecurity governance from a systemic perspective. It first identifies the challenges that the liberal international order, characterised by political liberalism, economic openness, and international co-operation, has faced in the area of cybersecurity governance. It also observes that there have so far been no successful global efforts to harmonise rules or create a unified regime. This chapter then emphasises how the private sector’s essential role as innovators possessing technological expertise is unique to cybergovernance and explains how the interplay of different actors, both public and private, has practical meaning for states and actors.
Wakako Ito offers, in Chapter 3, a detailed account of Chinese cybersecurity policy as an example of a state-oriented model of internet governance. After describing China’s early attitudes towards cyberspace, it analyses in detail its cybersecurity policy under the Xi Jinping administration, and how its concept of ‘cyber sovereignty’ differs from Western countries’ approaches to cyberspace. It also examines China’s efforts to export the Chinese model of cyber laws and regulations based on the concept of cyber sovereignty to non-liberal countries. It also analyses how the country is actively involved in the formation of international rules for cybersecurity in order to spread this concept.
Summer Walker and Ian Tennant examine interstate corporation on combating cybercrime and its limitations in Chapter 4. The chapter situates the current negotiations of a new legal instrument to counter cybercrime within the UN’s historical framework of efforts to enhance co-operation against general organised crime and cybercrime. In particular, it analyses the main issues that have held back progress on enhancing co-operation. It then proceeds to examine the current negotiation process and the prospects for effective co-operation once the negotiations come to an end, highlighting the potentially impactful legal implications of the work of the UN ad hoc committee on cybercrime.
Chapter 5, authored by Yarik Kryvoi, examines the distinction between public and private cyberattacks and responses to them in domestic law (e.g. application of criminal law) and international law (e.g. self-defence and countermeasures). After describing the different purposes, nature, and effects of cyberattacks committed by public and private actors, it argues that the determination of whether a particular cyberattack is of a public or private nature should define how states respond to cybersecurity risks. It then argues that the existing domestic and international law frameworks regulating cyberattacks suffer from serious limitations, and proposes a holistic approach for responding to cyberattacks, taking into account the difference between public and private cyberattacks.
In Chapter 6, Jens Hillebrand Pohl explores the question of how different domestic and international law approaches to regulating the international transfer of personal data deal with cybersecurity threats. It examines the 2016 EU General Data Protection Regulation, the 2021 UK National Security and Investment Act, and the 2018 United States–Mexico–Canada Agreement as representing distinct approaches for regulating international data transfers, namely data protection legislation, investment-screening legislation, and digital trade agreements. The analysis demonstrates that a lack of uniformity in terms of what constitutes an adequate level and design of data protection mechanisms has left the issue of how to distinguish between acceptable and non-acceptable data-transfer restrictions largely unresolved.
Chapter 7, authored by Elizabeth Whitsitt, analyses how trade agreements balance liberalisation of digital trade with cybersecurity concerns. The chapter identifies the strengths, weaknesses, and ambiguities facing digital trade regulation in these agreements. As a way to address the tension between international trade law and cybersecurity, it examines security exception clauses in different trade agreements. It also analyses the efforts found in recent regional trade agreements to direct state parties to have regard to international standards concerning cybersecurity issues. It concludes that harmonisation of such standards would suggest the possibility of a greater coherence in the cybersecurity governance.
In Chapter 8, Tomoko Ishikawa discusses cybersecurity from the perspective of human rights protection. It first identifies adopting border measures as one approach to fulfilling a state’s duty to protect its citizens against human rights violations caused by cybercrimes. It then examines the tension between these FDI restrictive border measures and states’ investment protection and promotion obligations under IIAs. The analysis demonstrates a limitation in the current international law framework in which invoking the concept of national security remains the only means for states to address cyberthreats, which involves the risk of an accelerating shift to protectionism.
Aleks Kalisz examines, in Chapter 9, cybersecurity public–private partnerships (PPPs). Chapter 9 argues that PPPs bring together the lawmaking powers of the states with the know-how of the private sector, that both are necessary to effectively deal with cybersecurity threats, and that the benefits of PPPs outweigh their limitations. It then empirically analyses the laws and regulations surrounding cybersecurity PPPs in eighteen different domestic jurisdictions to find a common denominator that could be transposed into international cybersecurity PPPs. Finally, it discusses the modalities which international cybersecurity PPPs could take and proposes a new international treaty incorporating PPPs, under which states undertake to establish domestic mechanisms for collaborating with the private sector in cybersecurity.
Based on the findings and analyses presented, Chapter 10 gives an overview of possible approaches to cybersecurity governance. Considering the existing limits to global cybersecurity co-operation, it proposes to use regional co-operation as a starting point. It analyses existing regional cybersecurity treaties to highlight the differences in these treaties that reflect the divide between the state-oriented and market-oriented models of internet governance, and to find possible areas of convergence that may pave the way towards global co-operation. It also discusses the role and limitations of the private sector, including IT industries, technical experts, and civil societies, in cybersecurity governance.